Admin Alert: Safely Deleting a User Profile
November 3, 2004 Joe Hertvik
As employees leave a company, many administrators disable their OS/400 user profiles, rather than deleting them, because the profiles may own critical system objects, may be used in regularly scheduled batch jobs, or may be group profiles that others depend on. Disabling terminated profiles is common practice because there isn’t an easy way to discover which objects a profile affects, so administrators generally believe it’s better to play it safe and keep an old user profile.
To help remedy this situation, I offer the following checklist for deleting terminated user profiles instead of disabling them. By following this checklist, you can safely delete most terminated user profiles without incident, keeping your user profile list clean, current, and uncluttered.
The first step is to investigate and replace any OS/400 functions that use the profile as a base. This step involves asking the following questions and making some system adjustments to take the terminated user out of your processes.
Is the user profile used to run a regularly scheduled batch job or a server job? In OS/400, most recurring jobs are scheduled through the job scheduler, and that requires the scheduler entry to designate which user profile the job should run under. This can create a problem when you delete a user profile because a scheduled job will fail if it is submitted to run under a user profile that doesn’t exist. So if you’re deleting a popular user profile (such as the former head of the IT department, who may have scheduled many jobs), you need to determine whether there are any jobs scheduled to run under his user profile and switch those jobs to run under another profile name.
As far as I know, there is no automated procedure in iSeries Navigator (OpsNav) to scan for scheduled jobs that run under a particular user profile, but you can find this information on a 5250 green screen by using the Work with Job Scheduled Entries (WRKJOBSCDE) command to create a printout containing information about all your scheduled jobs.
WRKJOBSCDE OUTPUT(*PRINT) PRTFMT(*FULL)
This command creates a detailed report of every job scheduler entry on your system, including the name of the user profile each job will run under. To find all the jobs that run under a particular user profile, display the printout created from the WRKJOBSCDE command and search for your target user profile name. When you find the user profile name in a particular job scheduler entry, you can again use the WRKJOBSCDE command to change the User parameter in that entry to an active user profile that has all the right authorities to run your job.
The other gotcha in this technique is that some jobs (along with their associated user profile names) are submitted from within CL programs or during an OS/400 IPL. In these cases, you may also want to check your IPL startup program code and the startup process for any server job that is currently running under the name of the terminated user profile.
Does the user profile own any objects in the system? This step is optional because you can also delete owned objects or transfer their ownership to another user profile as you delete the profile. The important point is that OS/400 will not delete a user profile that owns objects. So another key to successfully deleting a user profile is to either change the ownership of any objects it owns or delete the objects along with the user profile.
The iSeries Navigator doesn’t provide an easy way to perform these functions; you can view but not work with a user’s owned objects inside OpsNav. So you have to go back to the green screen once again and use the Work with Objects by Owner (WRKOBJOWN) command to view and change ownership for each object that a user profile owns.
This command displays all the objects owned by the target user. The WRKOBJOWN screen gives you the option to change an object’s owner (9=Change owner) or to delete an owned object (4=Delete). You can perform mass ownership changes by placing a 9 in front of all the owned objects and then specifying the user profile name of the new owner in the New Owner (NEWOWN) parameter on the command line, like this:
When you hit the Enter key, all the owned objects marked with a 9 will be changed to use the user profile specified in the NEWOWN parameter as their new owner. If you want to delete all the objects this user owns, simply put a 4 (delete) instead of a 9 in front of each object and perform the same routine.
Is the user profile that you’re going to delete a group profile? If other user profiles are depending on the soon to be deleted user profile for authorities by listing the profile as their primary or secondary group, you need to find those user profiles and change their group profile or Supplemental groups parameters (GRPPRF and SUPGRPPRF) to another group. To find all the user profiles that are members of a group profile, use the Display User Profile command (DSPUSRPRF) with the group member option, like this:
DSPUSRPRF USRPRF(user profile) TYPE(*GRPMBR)
This shows all the user profiles that list the terminating user profile in their group profile or supplemental group parameters. Before you can delete your user profile, then, you need to change these parameters in each of the depended-on user profiles.
Now that you’ve done the upfront work, you’re ready to delete your user profile. You can delete profiles by using either iSeries Navigator or the green screen.
For iSeries Navigator, open the Users and Groups and All Users nodes, and highlight the profile that you want to delete. Right-click the profile and choose Delete from the pop-up menu that appears. A Delete User panel will appear, with three radio buttons that tell OS/400 what to do with objects the user profile owns. The Do not delete if user owns objects button tells OS/400 to leave any owned objects alone and to retain the user profile if that user owns any objects. The Delete objects that user owns button tells OS/400 to delete all owned objects as it axes the user profile. And the Transfer objects to another user button tells OS/400 to transfer ownership to another user profile that you can select from a list. Once you make your selection and press the OK button, the user profile will be deleted and the owned objects will be changed, depending on which parameters you selected.
The user profile deletion process is similar to deleting profiles on the green screen. The big difference is that you use the Delete User Profile (DLTUSRPRF) command in one of the following three configurations:
DLTUSRPRF USRPRF(user profile) OWNOBJOPT(*NODLT) DLTUSRPRF USRPRF(user profile) OWNOBJOPT(*DLT) DLTUSRPRF USRPRF(user profile) OWNOBJOPT(*CHGOWN new user_profile)
In the first example, the user profile will be deleted, provided that it doesn’t own any objects. The second example will delete the user profile and all objects that it owns, while the third example will delete the user profile and transfer any objects it owns to another user profile.
At this point, you’re finished. The user profile has been safely deleted and most objects that were affected by the profile have been modified to account for the profile’s absence. This technique will take care of most user profile deletion scenarios.
Click here to contact Joe Hertvik by e-mail.